amass

Execute an Amass subcommand

$ amass [intel|enum] [options]

$ amass -help

$ amass [intel|enum] -help

$ amass -version

amass <command> [options]

Common commands:

enum: Perform subdomain enumeration and other OSINT gathering.
Usage: amass enum -d example.com [options]

db: Interact with the Amass graph database.
Usage: amass db -dir /path/to/db [options]

track: Track differences in enumeration results over time.
Usage: amass track -d example.com [options]

viz: Generate network graphs from enumeration results.
Usage: amass viz -d example.com [options]

-d <domain>
    Target domain for enumeration (e.g., example.com).

-active
    Enable active enumeration techniques (e.g., brute-forcing, port scanning). Requires more resources and can be detected.

-passive
    Enable passive enumeration techniques (e.g., scraping OSINT sources). Less intrusive and less detectable.

-ip
    Show IP addresses for discovered subdomains.

-o <file>
    Output enumeration results to a specified file.

-json <file>
    Output enumeration results in JSON format to a specified file.

-brute
    Enable brute-force subdomain enumeration using common wordlists or custom ones.

-w <wordlist>
    Specify a wordlist file for brute-force enumeration.

-src
    List all data sources utilized by Amass.

-dir <directory>
    Specify a directory for the Amass database and output files.

-config <file>
    Specify a configuration file for Amass (e.g., for API keys, resolvers).

-v
    Enable verbose output, showing detailed information during the scan.

-r <resolver>
    Specify custom DNS resolvers (e.g., 8.8.8.8,1.1.1.1).

-p <port>
    Specify ports for active scanning (e.g., 80,443,22).

-no-recursive
    Disable recursive subdomain enumeration (i.e., only find immediate subdomains).

-timeout <duration>
    Set a maximum time for the enumeration to run (e.g., 10m).

The OWASP Amass project is a sophisticated tool designed for comprehensive network reconnaissance. It specializes in external attack surface mapping, primarily through subdomain enumeration and OSINT (Open-Source Intelligence) gathering. Amass employs a variety of techniques, including passive methods like scraping various public data sources (e.g., DNS records, web archives, search engines, threat intelligence platforms, and numerous third-party APIs) and active methods such as brute-forcing, permutations, DNS querying, and web crawling. Its ability to combine multiple discovery methods makes it exceptionally effective in uncovering a broad range of subdomains, IP addresses, and other related assets linked to a target organization. This information is crucial for security assessments, penetration testing, and understanding an organization's public-facing infrastructure.

API Keys Required: Many of Amass's most effective data sources (e.g., various threat intelligence platforms, search engines) require API keys. Without these, the tool's performance will be significantly limited.
Resource Intensive: Active enumeration, especially with brute-forcing and extensive recursive searches, can consume significant CPU, memory, and network bandwidth.
Legal and Ethical Considerations: While passive enumeration is generally safe, active techniques can be considered intrusive. Always ensure you have explicit permission to conduct reconnaissance on target domains.
False Positives/Negatives: Like any reconnaissance tool, Amass may occasionally produce false positives (non-existent subdomains) or miss some legitimate ones (false negatives), especially with highly protected or obscure targets.

Amass is designed with a highly modular and extensible architecture. It leverages a graph database (by default, a local BoltDB instance, but can be configured for others) to store and interlink discovered assets, making it efficient for tracking and visualizing relationships between subdomains, IP addresses, ASNs, and other network entities. Users can extend Amass's capabilities by adding custom data sources or integrating it into larger automation workflows. Its output can be easily parsed (especially JSON output) for further analysis.

1. Basic Passive Scan:
amass enum -passive -d example.com -o output.txt
(Performs a quick, quiet scan using OSINT sources.)

2. Comprehensive Active Scan (with brute-force):
amass enum -active -brute -d example.com -w /path/to/wordlist.txt -json output.json
(A more aggressive scan, combining active discovery with a wordlist for brute-forcing, saving results in JSON.)

3. Specifying Resolvers and Output Directory:
amass enum -d example.com -r 1.1.1.1,8.8.8.8 -dir /home/user/amass_results
(Uses specific DNS resolvers and stores all results in a dedicated directory.)

The OWASP Amass project was initiated and is continuously maintained by the Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software. It was conceived to provide a robust, comprehensive, and scalable solution for external attack surface mapping, addressing the shortcomings of previous, more limited subdomain enumeration tools. Its development has focused on integrating a wide array of passive and active techniques, making it a prominent and indispensable tool in the cybersecurity community for reconnaissance, penetration testing, and vulnerability assessment.

nmap(1), dnsrecon(1), sublist3r(1), assetfinder(1), theharvester(1), knockpy(1)